A Way to End Email Phishing Attacks on Employee Data
One way to reduce the ability for scammers to get access to private data is to move data requests out of email and into a secure, audited system.
Recently a friend of mine told me about a data breach at his company that had compromised the personnel details of every employee, including social security numbers. He was understandably shaken. The breach was due to an employee in HR responding to an email request that appeared to come from an executive within the company asking for a spreadsheet containing the compromised personnel information. It was another example of an email phishing scam that worked perfectly.
It got me thinking about the nature of internal requests like these. Every day, thousands, perhaps millions of requests for internal information are routed via email and attachments throughout organizations. Sometimes, the information requested in an email is “seemingly” harmless (more on that in a moment).
There are also pieces of information shared via email that are high-risk/high-value, and it has to stop. We can forgive (and re-train) those duped by a professional phishing attack, but wouldn’t it be better to avoid the issue in the first place?
As far as “seemingly” harmless information goes, today’s phishing attacks seem to primarily target private employee data, but there’s no stopping a phisher from going after other critical information like:
-
Employee information
-
A list of customers
-
Strategic planning information
-
Product information
-
Company financial data
I suggest starting with a list of the types of information considered private/critical/locked down and making it clear to all personnel handling this information that it should never be shared via email under penalty of disciplinary action.
In addition, the recipient should respond to the potential phishing sender with a scripted company-supplied message and, separately, call or message the requester to confirm they have requested the protected information. If they did not, an alert to all employees that the organization is being phished should be sent out as a warning.
Manage Information Requests Safely
Rather than relying on email to distribute critical data, anyone needing this type of information should request it through a secure request management system set up to vet requests, track approvals, create an audit trail, and provide explicit guidance for use.
Here’s why this is a better and safer way to manage requests:
-
Only authorized/logged-in users can request information.
-
A central authority can scrutinize all requests before any action is taken.
-
Only authorized individuals will be alerted to and allowed to fulfill the request.
-
The requested information can be securely attached via the system.
-
Request forms can be designed to ask for specific, unique codes or identifiers that confirm a request is legitimate.
-
All request activity is tracked and can be audited at any time.
The loss of security, trust, and morale resulting from employee data breaches is catastrophic for organizations. The best solution is to limit email as an information-requesting tool and replace it with a secure, professional request management system.